Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
3.4.0
-
None
-
Reviewed
Description
YARN-10339 introduced changes to ensure that PseudoAuthenticationHandler is used in TimelineClient when yarn.timeline-service.http-authentication.type=simple
PseudoAuthenticationHandler doesn't support delegation token ops like get, renew and cancel since those ops strictly require SPNEGO auth to work. We don't use timeline delegation tokens when simple auth is used.
Prior to YARN-10339, Timeline delegation tokens were unnecessarily used when yarn.timeline-service.http-authentication.type=simple, but hadoop security was enabled. After YARN-10339, the tokens are not used when yarn.timeline-service.http-authentication.type=simple.
In a rolling upgrade scenario, we can have a client which doesn't have YARN-10339 changes submitting an application and requests a Timeline delegation token even when yarn.timeline-service.http-authentication.type=simple. RM on the other hand can have YARN-10339 changes and so will result in error while trying to renew the token with PseudoAuthenticationHandler.
Attachments
Attachments
Issue Links
- is caused by
-
YARN-10339 Timeline Client in Nodemanager gets 403 errors when simple auth is used in kerberos environments
- Resolved